By Scott Gordon, CISSP
CMO, Pulse Secure
Note: This article was originally published on InCyberDefense.
Remote work has become the standard operating mode for at least 50% of the U.S. population, and employers are increasingly offering flexible working arrangements as a benefit for attracting top talent. Combine those away-from-the-office employees with the traditional mobile workforce — salespeople, traveling executives, adjusters, inspectors, contractors, onsite service providers and an array of other field personnel — and you have a wide mix of endpoint devices that need remote access to company data and applications.
Start a management degree at American Public University.
Remote and mobile endpoints, including laptops, smartphones and tablets, represent a significant point of vulnerability for security breaches according to “The 2019 State of Enterprise Secure Access,” a research study from IDC Connect and Pulse Secure. This study surveyed 300 companies from the U.S., U.K., Germany, Austria and Switzerland. The challenge facing companies today is to address those vulnerabilities by providing secure access for all endpoints without impacting user satisfaction.
Endpoint Exposures from Remote Workers Put Data and Applications at Risk
Endpoint exposures accounted for more than half of the significant-to-high-impact security incidents reported in the survey. Malware was in first place at 55%, unauthorized/vulnerable endpoint use was at 52%, and mobile and web app exposure was at 49%.
To address these security vulnerabilities, companies should look at the effectiveness of user education about risks such as downloading malware-infested attachments and linking to spoofed websites. Organizations can also consider implementing more automated ways to contain or prevent these threats before giving users access to sensitive resources and data.
In addition, the study’s findings indicate that issues with poor access authorization (46%) and resource access protection (45%) through lax authentication and encryption are among prominent factors contributing to the security incidents impacting organizations today. To address these and other cybersecurity shortcomings, organizations are increasingly applying the zero-trust security model.
A zero trust model applies authentication, authorization, and verification controls to users, devices, applications and network resources. In fact, Forrester Research predicts this security model will become the ad hoc standard in the U.S. by 2020. This model is all about proving an end user’s identity, location, device, and security state before and after that end user is granted access based on least privilege to data center/cloud applications and resources.
Access Control Gaps Lead to Endpoint Exposures
How can these security issues be addressed? One place to start is to identify what access security control gaps to focus on.
A large majority of survey respondents (79%) identified poor user and device discovery and mobile computing exposures as significant or impactful access control gaps. You can’t secure what you can’t see. Reducing these blind spots requires more automated and granular visibility of users, endpoints, and mobile devices.
Endpoint access, device configuration compliance, and policy enforcement controls are all also significant or impactful security gaps for 78% of respondents. These findings suggest that organizations should, at minimum, assess their existing coverage for user and device discovery as well as existing authentication and monitoring technologies in order to determine the effectiveness of these access security control points.
Find the Right Toolset for Mobile and Remote Secure Access
Organizations continue to rely on virtual private networks (VPNs) to give mobile and remote users access to network and cloud resources. Applying zero trust principles to secure access requires integrating VPN and multiple additional capabilities in a single suite of tools — and doing so without sacrificing end-user satisfaction. That means utilizing end-user client software that is easy to use and makes technical issues such as access methods and control points invisible.
Ultimately, the result should be secure access anytime, anywhere, from any device. In evaluating secure access vendors, look for solutions that provide:
- Dual-mode VPN and software-defined perimeter (SDP) access to data center and cloud resources for laptop, desktop, and mobile devices
- Unified endpoint management tools, including mobile device management and containerization for bring your own device (BYOD) mobile devices
- A unified end-user client for VPN and network access control (NAC)
- A client that supports multiple desktop and mobile operating systems with a single user experience across all
- Agent and agent-less client options to simplify connectivity
- Identity, device and security state authentication
- Pre- and post-connect endpoint posture assessment
- Endpoint discovery, monitoring and segregation
- Single sign-on (SSO)
- Secure mobile browser
Now Is the Time to Evaluate Your Secure Access Postures and Adopt the Zero Trust Model
All signs indicate that employee demand for mobile device access will continue to grow, while adoption of BYOD is projected to grow at a compound annual growth rate (CAGR) of more than 17% over the next four years. Likewise, the near future will see steady growth in the number of people working remotely, either full or part-time. Now is the time to assess the state of access security for mobile devices and other remote endpoints to prevent security exposures and mitigate risks.
About the Author
Scott Gordon is the chief marketing officer at Pulse Secure, responsible for global marketing strategy, communications, operations, channel and sales enablement. He possesses over 20 years of experience contributing to security management, network, endpoint and data security, and risk assessment technologies at innovative startups and large organizations across SaaS, hardware and enterprise software platforms. Previously, Scott was CMO at RiskIQ and ForeScout (FSCT). He has also held executive and management roles at AccelOps , Protego, Axent and McAfee.